This post is about making performance enhancements to a WebRTC app so that they can be used in the area which requires sensitive data to be communicated, cannot afford downtime, fast response and low RTT, need to be secure enough to withstand and hacks and attacks.
Best practices for WebRTC single page applications
As a check the communication clients become single page driven , a lot of authetication , heartbeat sync , web workers , signalling event driven flow management resides on the same page along with the actuall CPU consumption for the audio video resources and media streams . This in turns can make the webpage heavy and many a times could result in crash due to being ” unresponsive”.
Here are some my best to-dos for making sure the webrtc communication client page runs efficiently
Visual stability and CLS ( Cummulative Layout Shift)
CLS metrics measures the sum total of all individual layout shift scores for every unexpected layout shift that occurs during the entire lifespan of the page.
To have a good user interactionn experiences, the DOM elements should display as less movement as possible so that page appears stable . In the opposite case for a flickering page ( maybe due to notification DOM dynamically pushing the other layout elements ) it is difficult to precisely interact with the page elements such as buttons .
Minimize main thread work
Depriciation of XMLHTTP request on main thread
Reduce Javacsipt execution Time
Unoptimized JS code takes longer to execute and impacts network , parse-compileand memory cost.
Some effective tips to spedding up JS execution include
- minifying and compressing code
- Removing the unused code and console.logs
- Apply caching to save lookup time
In one of my previous posts I have mentioned about Security threats to WebRTC Solution . It includes mainly 4 ways in which WebRTC Solution Providers and Users are vulnerable , which includes
- Identity Management ,
- Browser Security ,
- Authentication and
- Media encryption.
Identity Management ,
Browser Security ,
Browser Threat Model
Best practices for the Webrtc comm agents
ICE TURN challenges
Cookies – Security vs persistsnt state
Cross-site request forgery (CSRF) attacks rely on the fact that cookies are attached to any request to a given origin, no matter who initiates the request.
While adding cookies we must ensure that if SameSite =None , the cookies must be secure
Set-Cookie: widget_session=abc123; SameSite=None; Secure
Strict, your cookie will only be sent in a first-party context. In user terms, the cookie will only be sent if the site for the cookie matches the site currently shown in the browser’s URL bar.
Set-Cookie: promo_shown=1; SameSite=Strict
You can test this behavior as of Chrome 76 by enabling
chrome://flags/#cookies-without-same-site-must-be-secure and from Firefox 69 in
about:config by setting
Key Performance Indicators (KPIs) are used to evaluate the performance of a website . It is crticial that a webrtc web page must be light weight to acocmodate the signalling control stack javscript libs to be used for offer answer handling and communicating with the signaller on open sockets or long polling mechnism .
Lighthouse tab in chrome developer tools shows relavnat areas of imporevemnt on the webpage from performmace , Accesibility , Best Practices , Search Engine optimization and progressive Web App
Also shsows individual categories and comments
Time to render and Page load
Page attributes under Chrome developers control depicts the page load and redering time for every element includeing scripts and markup. Specifically it has
- Time to Title
- Time to render
- Time to inetract
Networking attributes to be cofigured based on DNS mapping and host provider. These Can be evalutaed based on chrome developer tool reports
Task interaction time
Other page interaction crtiteria includes the frames their inetraction and timings for the same.
In the screenhosta ttcjed see the loading tasks which basically depcits the delay by dom elements under transitions owing to user interaction . This ideally should be minimum to keep the page responsive.
Page’s total memeory
The above functions ( old and new ) estimates the memory usage of the entire web page
these calls can be used to correlate new JS code with the impact on memery and subsewuntly find if there are any memeory leaks . Can also use these memery metrics to do A/B testing .
DNS lookup Time
Services such as Pingdom (https://tools.pingdom.com/) or WebPageTest can quickly calculate your website’s DNS lookup times
Load / sgtress tresting can be perfomed over tools such as LoadStorm , JMeter
Page weight and PRPL
Loading assests over CDN , minfying sripts and reducing over all weight of the page are good ways to keep the pagae light and active and prevent any chrome tab crashes .
PRPL expands to Push/preload , Render , PreCache , Lazy load
- Render the initial route as soon as possible.
- Pre-cache remaining assets.
- Lazy load other routes and non-critical assets.
Preload is a declarative fetch request that tells the browser to request a resource as soon as possible. Hence should be used for crticial assests .
<link rel="preload" as="script" href="critical.js">
The non critical compoenents could then be loaded on async .
Web Workers are a simple means for web content to run scripts in background threads.The
Worker interface spawns real OS-level threads
By acting as a proxy, service workers can fetch assets directly from the cache rather than the server on repeat visits.
Conversion Rates over analytics Tools
Google Analytics is a good way of deducing Converdsation and bounce rates
Vide codecs Vp8 vs VP9
SFU vs MCU or p2p media flow